Which choice below is NOT an accurate description of an information
policy?
A.
Information policy is senior management’s directive to create a
computer security program.
B.
Information policy is a documentation of computer security
decisions.
C.
An information policy could be a decision pertaining to use of the
organization’s fax.
D.
Information policies are created after the system’s infrastructure has
been designed and built.
Explanation:
Computer security policy is often defined as the documentation
of computer security decisions. The term policy has more than
one meaning. Policy is senior management’s directives to create a
computer security program, establish its goals, and assign
responsibilities. The term policy is also used to refer to the specific
security rules for particular systems. Additionally, policy may refer
to entirely different matters, such as the specific managerialdecisions setting an organization’s e-mail privacy policy or fax
security policy.
A security policy is an important document to develop while
designing an information system, early in the System Development
Life Cycle (SDLC). The security policy begins with the organization’s
basic commitment to information security formulated as a general
policy statement. The policy is then applied to all aspects of the
system design or security solution. Source: NIST Special Publication
800-27, Engineering Principles for Information Technology Security (A
Baseline for Achieving Security).
The question has no mention of security. The answer/explanation would be relevant if the question is reworded to say Information Security..
0
0